[Swan] cisco asa IKEv2 Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group
valentin vlasov
vmvlasov at yahoo.com
Wed Dec 26 07:13:16 UTC 2018
Hello Dmitry,
1. I have the same problem with a centos <> cisco asa connection with the same behaviour.Can you tell me please what are your final settings for ikelifetime, keylife and rekeymargin?2. With what periodicity do you run that testing script?
Thanks a lot!VV
From: Dmitry Melekhov <dm at belkam.com>
To: swan at lists.libreswan.org
Sent: Tuesday, December 25, 2018 6:38 AM
Subject: Re: [Swan] cisco asa IKEv2 Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group
OK, looks like this is ASA bug, it was not happy with keylife=3600s from libreswan
set it to default, which is the same from cisco side and looks like now there in no such problem, at list while there is no connectivity loss...
24.12.2018 9:56, Dmitry Melekhov пишет:
Hello! I run cisco ASA 5506-X asa992-36 and libreswan on another side - Centos 7.6 ipsec --version
Linux Libreswan 3.25 (netkey) on 3.10.0-957.1.3.el7.x86_64
And sometimes , several times per day, I have rekeying problem. From libreswan side is looks like:
дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: local ESP/AH proposals for peer (ESP/AH initiator emitting proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED
дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: STATE_V2_REKEY_CHILD_I: STATE_V2_REKEY_CHILD_I
дек 24 08:55:36 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads: N; missing payloads: SA,Ni,TSi,TSr
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 0.5 seconds for response
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads: N; missing payloads: SA,Ni,TSi,TSr
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 1 seconds for response
дек 24 08:55:37 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads: N; missing payloads: SA,Ni,TSi,TSr
дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 2 seconds for response
дек 24 08:55:38 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads: N; missing payloads: SA,Ni,TSi,TSr
дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 4 seconds for response
дек 24 08:55:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads: N; missing payloads: SA,Ni,TSi,TSr
дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 8 seconds for response
дек 24 08:55:44 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads: N; missing payloads: SA,Ni,TSi,TSr
дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 16 seconds for response
дек 24 08:55:52 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads: N; missing payloads: SA,Ni,TSi,TSr
дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: STATE_V2_REKEY_CHILD_I: retransmission; will wait 32 seconds for response
дек 24 08:56:08 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: dropping unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads: N; missing payloads: SA,Ni,TSi,TSr
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: STATE_V2_REKEY_CHILD_I: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our IKEv2 message
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: starting keying attempt 2 of an unlimited number
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #341: local ESP/AH proposals for peer (ESP/AH initiator emitting proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=MODP1024;ESN=DISABLED
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #340: deleting state (STATE_V2_REKEY_CHILD_I) and NOT sending notification
дек 24 08:56:40 ast-zab.zab.belkam.com pluto[5971]: "peer" #341: message id deadlock? wait sending, add to send next list using parent #337 unacknowledged 1 next message id=1 ike exchange window 1 дек 24 09:00:00 ast-zab.zab.belkam.com pluto[5971]: "peer" #341: deleting state (STATE_V2_CREATE_I0) and NOT sending notification
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #339: deleting state (STATE_V2_IPSEC_R) and sending notification
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #339: ESP traffic information: in=226MB out=117MB
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: expire unused parent SA #337 "peer"
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337: received delete request for PROTO_v2_ESP SA(0xf257a6bd) but corresponding state not found
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337: ISAKMP SA expired (LATEST!)
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #337: deleting state (STATE_PARENT_R2) and sending notification
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from 88.80.32.210:500: INFORMATIONAL message request has no corresponding IKE SA
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from 88.80.32.210:500: ISAKMP_v2_INFORMATIONAL message response has no matching IKE SA
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: assign_holdpass() no bare shunt to remove? - mismatch?
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: initiate on demand from 192.168.200.33:0 to 192.168.200.34:0 proto=47 because: acquire
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342: initiating v2 parent SA
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from asaip:500: ignoring unknown Vendor ID payload [434953434f28434f505952494748542926436f70797269676874202863292032...]
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: packet from asaip:500: proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 chosen from remote proposals1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024[first-match]
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342: STATE_PARENT_I1: sent v2I1, expected v2R1
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha1_96 prf=sha group=MODP1024}
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #342: local ESP/AH proposals for peer (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha1_96 prf=sha group=MODP1024}
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: IKEv2 mode peer ID is ID_IPV4_ADDR: '88.80.32.210'
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: Authenticated using authby=secret
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: local ESP/AH proposals for peer (IKE SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: proposal 1:ESP:SPI=d98dfdbf;ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;ESN=DISABLED[first-match]
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #343: received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #345: negotiated connection [192.168.200.33-192.168.200.33:0-65535 0] -> [192.168.200.34-192.168.200.34:0-65535 0]
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #345: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xd98dfdbf <0xd5eba6e1 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: IKEv2 mode peer ID is ID_IPV4_ADDR: 'asaip'
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: Authenticated using authby=secret
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: negotiated connection [192.168.200.33-192.168.200.33:0-65535 0] -> [192.168.200.34-192.168.200.34:0-65535 0]
дек 24 09:00:06 ast-zab.zab.belkam.com pluto[5971]: "peer" #344: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x3956d69f <0x0b6fe415 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
from ASA side :
Dec 24 08:55:36 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 08:55:36 192.168.42.129 %ASA-4-750003: Local:asaip:500 Remote:libreswanip:500 Username:libreswanip IKEv2 Negotiation aborted due to ERROR: The peer's KE payload contained the wrong DH group
Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 08:55:37 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 08:55:38 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 08:55:40 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 08:55:44 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 08:55:52 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 08:56:08 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xBCAAE666) between asaip and libreswanip (user= libreswanip) has been deleted.
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xF257A6BD) between libreswanip and asaip (user= libreswanip) has been deleted.
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 2 times: [ ESP request discarded from libreswanip to outside:asaip]
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-5-750007: Local:asaip:500 Remote:libreswanip:500 Username:libreswanip IKEv2 SA DOWN. Reason: peer request
Dec 24 09:00:06 192.168.42.129 %ASA-4-113019: Group = libreswanip, Username = libreswanip, IP = libreswanip, Session disconnected. Session Type: LAN-to-LAN, Duration: 1h:00m:00s, Bytes xmt: 237319950, Bytes rcv: 122586307, Reason: User Requested
Dec 24 09:00:06 192.168.42.129 %ASA-5-750001: Local:asaip:500 Remote:libreswanip:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.200.34-192.168.200.34 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 192.168.200.33-192.168.200.33 Protocol: 0 Port Range: 0-65535
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-5-750002: Local:asaip:500 Remote:libreswanip:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500 Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason: New Connection Established
Dec 24 09:00:06 192.168.42.129 %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = libreswanip
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and libreswanip (user= libreswanip) has been created.
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x3956D69F) between asaip and libreswanip (user= libreswanip) has been created.
Dec 24 09:00:06 192.168.42.129 %ASA-7-713906: IKE Receiver: Packet received on asaip:500 from libreswanip:500
Dec 24 09:00:06 192.168.42.129 %ASA-5-750006: Local:asaip:500 Remote:libreswanip:500 Username:libreswanip IKEv2 SA UP. Reason: New Connection Established
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x0B6FE415) between asaip and libreswanip (user= libreswanip) has been deleted.
Dec 24 09:00:06 192.168.42.129 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x3956D69F) between libreswanip and asaip (user= libreswanip) has been deleted.
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xD5EBA6E1) between asaip and libreswanip (user= libreswanip) has been created.
Dec 24 09:00:06 192.168.42.129 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD98DFDBF) between asaip and libreswanip (user= libreswanip) has been created.
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 2 times: [ ESP request discarded from libreswanip to outside:asaip]
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: message repeated 3 times: [ ESP request discarded from libreswanip to outside:asaip]
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from libreswanip to outside:asaip
Dec 24 09:00:06 192.168.42.129 %ASA-7-710006: ESP request discarded from libreswanip to outside:asaip
As you can see , connections are created, but ASA drops ESP packets...
Configuration:
libreswan:
conn peer
left=libreswanip
right=asaip
leftsubnet=192.168.200.33/32
rightsubnet=192.168.200.34/32
ike=aes256-sha1;modp1024
ikev2=insist
pfs=yes
ikelifetime=28800s
phase2alg=aes256-sha1
keylife=3600s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
auto=start
keyingtries=%forever
dpddelay=10
dpdtimeout=2
dpdaction=restart
#dpdaction=hold
asa:
crypto ipsec ikev2 ipsec-proposal zabegalovo
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto map russneft-ipsec 50 match address ZABEGALOVO-IPSEC
crypto map russneft-ipsec 50 set peer libreswanip
crypto map russneft-ipsec 50 set ikev2 ipsec-proposal zabegalovo
access-list ZABEGALOVO-IPSEC extended permit ip host 192.168.200.34 host 192.168.200.33
right now I'm solving this by script , which checks if another side is available by ping and do connection restart if not:
/usr/sbin/ipsec auto --down peer;/usr/sbin/ipsec auto --up peer
Could you tell me is something wrong in my configuration?
Or is this asa or libreswan bug?
Thank you!
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181226/0b9259fa/attachment-0001.html>
More information about the Swan
mailing list